Global Trustee and Fiduciary Services News and Views

| Issue 47 | 2017

23

• In the context of the activities of an

establishment of a data controller or data

processor in the EU, irrespective of whether

the processing takes place in the EU;

• Or by a data controller or data processor that is

not established in the EU, but that is processing

personal data of individuals who are in the EU

where those processing activities relate to the

offering of goods or services to those individuals

who are in the EU, or to the monitoring of the

behaviour of those individuals insofar as their

behaviour takes place within the EU..

With the above in mind, here are our ABCs

of the GDPR.

A: Awareness

The ways in which data can be collected,

generated, disseminated and used has

multiplied exponentially with the growth in new

technologies. It is therefore more important

than ever for managers to ensure that they

make individuals aware of their processing

activities. Furthermore, the GDPR introduces

an obligation on data controllers to notify most

data breaches to the DPA (in the UK, this is

the Information Commissioner’s Office or ICO)

without undue delay and, where feasible, within

72 hours of awareness of the breach.

However, this transparency with individuals and

regulators can only be achieved if the manager

itself has a good handle on the data processing

activities that its business undertakes. The

requirement for awareness is therefore twofold:

Awareness of individuals

(aka transparency of processing)

One of the core principles of the GDPR is that

personal data must be “processed lawfully, fairly

and in a transparent manner”.

4

The requirement

for fairness in this provision requires fair

processing information to be provided to

individuals, and is not dissimilar to the

requirements of the Directive. What is different

is that that the rules in the GDPR relating to this

provision of information:

• Emphasise that the information must be

user-friendly and accessible.

• And are more prescriptive, setting out a

fuller list of information to be provided to

individuals including: the legal basis for

processing, details of transfers to third

countries and safeguards, retention periods

for the personal data, and individuals’ rights

with respect to personal data.

Adopting the ICO’s suggested “layered” or

“blended” approach to the provision of this

information (i.e. so that the information does

not have to be provided in a single document,

but instead can be provided via different

channels) can help managers to adopt a

pragmatic yet compliant approach to this

transparency requirement.

5

Self-awareness

The type of information that needs to be

provided in a fair processing notice, as well as

on a data security breach, necessarily requires

managers to be intimately familiar with their

data processing activities. The GDPR entrenches

a number of tools that can be of help in this

regard, some of which we highlight below.

Privacy impact assessments

Where a data controller is undertaking a type

of processing (e.g. involving new technologies)

that is likely to result in a high risk to rights

and freedoms of individuals, the GDPR requires

Types of data in a manager’s data bank

Not personal data

May be personal data

Personal data

Employee (and

related) data

Net-worth info

about high-net-

worth persons

High-value

email and

contact lists

Research and

investment

strategies

Propriety risk

and trading

algorithms